NFS and Firewall
The most recent version of this document can always be found at: http://rlworkman.net/howtos/NFS_Firewall_HOWTO --rworkman
This document is intended to give you detailed steps for making NFS bind to user-specified ports instead of random ports assigned by the portmapper. This makes it *much* easier to run a firewall on the NFS server, as you don't have to kludge something to find the NFS ports at each boot to open them with iptables.
First, you'll want (it's not necessary, but handy to have for later) to make sure all of this is in /etc/services. I made sure "NFS" is in all of what I added or modified so that I can easily remove them (or just find them) if I need them later.
bash-3.00# grep NFS /etc/services sunrpc 111/tcp rpcbind # SUN Remote Procedure Call sunrpc 111/udp rpcbind # SUN Remote Procedure Call mountd 861/udp # NFS mountd mountd 861/udp # NFS mountd rquotad 863/udp # NFS rquotad rquotad 863/tcp # NFS rquotad status 865/udp # NFS status (listen) status 865/tcp # NFS status (listen) status 866/udp # NFS status (send) status 866/tcp # NFS status (send) nfsd 2049/tcp # NFS server daemon nfsd 2049/udp # NFS server daemon lockd 4045/udp # NFS lock daemon/manager lockd 4045/tcp # NFS lock daemon/manager
Next, you'll need to modify your /etc/rc.d/rc.nfsd script accordingly: For other linux distributions, find the script that starts these daemons and add the needed flags.
- Make the quota daemon listen on port 863
if [ -x /usr/sbin/rpc.rquotad ]; then echo " /usr/sbin/rpc.rquotad -p 863" /usr/sbin/rpc.rquotad -p 863 fi
- Make the mount daemon listen on port 861
if [ -x /usr/sbin/rpc.mountd ]; then echo " /usr/sbin/rpc.mountd -p 861" /usr/sbin/rpc.mountd -p 861 fi
Now modify the /etc/rc.d/rc.rpc script (again, for other linux distros, find the script that starts this daemon and add the needed flags). On older versions (less than 11.0) of Slackware, rpc.statd is started in rc.nfsd, so look there instead.
- Make the status daemon listen on port 865 and talk on port 866 - note that you'll have to open port 866 on the NFS clients
if ! ps axc | grep -q rpc.statd ; then echo "Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd -p 865 -o 866" /sbin/rpc.statd -p 865 -o 866 fi
Finally, make the lock daemon listen on port 4045 only - note that this requires setting module loading parameters in /etc/modules.conf (for 2.4 kernels) or /etc/modprobe.conf (for 2.6 kernels) or /etc/modprobe.d/options (for newer 2.6 kernels with module-init-tools >=3.2.2; create this file if it doesn't already exist) - it won't hurt to set it in all of them. You'll need to add this line to the files referenced above.
options lockd nlm_udpport=4045 nlm_tcpport=4045
Good luck - talk to me on IRC if you have trouble.